Analysis of Competing Hypotheses

The notion of competition among a series of plausible hypotheses to see which ones survive a gauntlet of testing for compatibility with available information. The surviving hypotheses—those that have not been disproved—are subjected to further testing [Citation 6]


Anchoring is a term used in psychology to describe the common human tendency to rely too heavily, or “anchor,” on one trait or piece of information when making decisions. [Citation 19]


A state of being unknown or unacknowledged. [Citation 17]

Anonymous Threatening Communications

A threat made through online or offline communication methods, without the rendition of the identity of the culprit. For example, a cyberstalker who threatens a young girl, forcing her to meet him, through the use of social media communications like Facebook. [Citation 7]

Authority Bias

Authority bias is the tendency to attribute greater accuracy to the opinion of an authority figure (unrelated to its content) and be more influenced by that opinion. [Citation 13]

Availability Heuristics

The vividness of a possible event makes it memorable for you to think it might actually happen. You judge the frequency, the probability, of something based on how easily you can bring it to mind. [Citation 3]

Availability Cascade

An availability cascade is a self-reinforcing cycle that explains the development of certain kinds of collective beliefs. A novel idea or insight, usually one that seems to explain a complex process in a simple or straightforward manner, gains rapid currency in the popular discourse by its very simplicity and by its apparent insightfulness. [Citation 13]

Bandwagon Effect

The bandwagon effect entails that people do something primarily because other people are doing it, regardless of their own beliefs, which they may ignore or override. [Citation 12]

Bias Blind Spot

The bias blind spot is the cognitive bias of recognising the impact of biases on the judgement of others, while failing to see the impact of biases on one’s own judgment. [Citation 8]

Behavioral Threat Assessment

Behavioural threat assessment is a systematic, fact-based method of investigation and examination that blends the collection and analysis of multiple sources of information with published research and practitioner experience, focusing on an individual’s patterns of thinking and behavior to determine whether, and to what extent, a person of concern is moving toward an attack. [Citation 1]

Coerced Insider

A coerced insider has no intention to cause harm to an organisation but his/her vulnerabilities are exploited by others to do so. [Citation 7]

Cognitive Dissonance

Cognitive dissonance is the mental discomfort (psychological stress) experienced by a person who simultaneously holds two or more contradictory beliefs, ideas, or values. The occurrence of cognitive dissonance is a consequence of a person’s performing an action that contradicts personal beliefs, ideals, and values; and also occurs when confronted with new information that contradicts said beliefs, ideals, and values.[Citation 26]

Confirmation Bias

The tendency to look for evidence or interpret information in a way that confirms a preconceived opinion. [Citation 1]

Critical Pathway to Insider Attacks

This methodological approach  describes the various factors that  contribute to individuals’ committing insider unlawful acts against their organizations.[Citation 23]

Crime Script

An individual’s’ preparations, planning, rehearsals, and security efforts ahead of a malicious act. [Citation 23]


Repeatedly critical remarks and teasing, often by a group, via electronic or online means. [Citation 17]


A crime committed against a computer or computing system (e.g., hacking) or in which a computer is the principal tool. For example, transmitting child abuse material. [Citation 17]

Cyber Maladaptive Behavior

Behavior that inhibits a person’s ability to adjust to particular situations in cyber contexts; attitudes, emotions, responses, and patterns of thought that result in negative outcomes. [Citation 17]


The study of the impact of technology on human behavior. [Citation 17]


Persistent harassment of an individual, group, or organisation using technology. [Citation 17]

Deception Detection

Deception refers to strategically tricking someone into accept something as true or valid. Detection refers to the art of identifying deceit. [Citation 7]


The process of deflecting from a set of rules and practiced culture within any societal, cultural or organisational setting. In the context of insider threat, derailment refers to the process in which the insider deviates from the ‘norm’, often expressed in a code of conduct, within an organisational context. [Citation 7]

Directly Communicated Threat

An unambiguously stated or written threat to either a target or to law enforcement expressing intent to commit violence. [Citation 1]

Disgruntled Employee

An employee normally becomes disgruntled due to an unmet expectation or a perceived unfortunate event (e.g., the insider was under the impression that he/she was about to be promoted, but was evidently passed over). [Citation 25]


Disinformation is information that is deliberately false or misleading. [Citation 3]

Duty to Warn/Protect

A legal duty of a mental health professional with knowledge of a potential act of violence by someone in his care, directed at a third party. This knowledge requires him to act reasonably to protect the potential victim from the threat. [Citation 1]


Espionage is a type of Insider Risk (see Critical Pathway to Insider Risk) that can be defined as obtaining secret or confidential information including assets without the permission of the asset holder. Espionage often carried out by recruiting spies and agencies to uncover secret information. Any individual or spy ring (a cooperating group of spies) in the service of a government, company or independent operation can commit espionage. The practice is clandestine by definition and in many cases illegal and punishable by law. 

Fake News

Fake news consists of the spread of inaccurate information, either intentional or unintentional. (See misinformation and disinformation for further explanation).[Citation 7]


An extreme preoccupation with another person, an activity, or an idea. In threat assessment and management cases, it is often observed to involve a grievance, personal cause, or a public figure. [Citation 1]

Functional Biases

Looking beyond how biases function to what function biases serve. [Citation 7]


Gaslighting has been used to describe situations in which a person orchestrates deceptions and inaccurately narrates events to the extent that their victim stops trusting their own judgments and perceptions. [Citation 3]


A cause of distress or reason for complaint/resentment. In threat assessment and management cases it includes a highly personal significance for the person of concern, often fueling a feeling of being wronged and generating behaviors related to a sense of mission, destiny, loss, or desire for revenge. [Citation 1]

Information Overload

Information overload occurs when the amount of input to a system exceeds its processing capacity. Decision makers have fairly limited cognitive processing capacity. Consequently, when information overload occurs, it is likely that a reduction in decision quality will occur. [Citation 2]


An insider is a person with authorized access to items that an organization wishes to protect- information, people, and dangerous or valuable materials, facilities and equipment. Insiders are often employees, but can also be contractors or certain types of visitors. [Citation 27]

Insider Threat

It is a threat posed to an organisation by someone who misuses or betrays, wittingly or unwittingly, their authorized access to any organisational resource. This threat can include damage through espionage, terrorism, unauthorized disclosure of confidential information, or through the loss or degradation of resources or capabilities of the organisation.[Citation 29]

Insider Trading

Insider trading is a type of Insider Risk (see CPIR – Critical Pathway to Insider Risk) that is defined as the trading of a public company’s stock or other securities by individuals with access to confidential information about this company. As insider trading is seen as unfair to other investors who do not have access to the same proprietary information, it is illegal in most countries and carries a penalty.

Intimacy Effect

The closer the interpersonal relationship between a person of concern and a target, the greater the likelihood is of violence. This intimacy can be based upon the person of concern’s perception of the relationship, including delusional perceptions. [Citation 3]

IP Theft

IP theft is a type of Insider Risk (see CPIR – Critical Pathway to Insider Risk) that is defined as the stealing of Intellectual Property. IP is a category of property that includes intangible creations of  intellect, and encompasses copyrights, patents, and trademarks. It also includes other types of information and protections, such as trade secrets, customer lists, publicity rights and rules against unfair competition. Artistic works like music and literature, as well as some discoveries, inventions, words, phrases, symbols, and designs can all be protected as intellectual property.

Last Resort Behaviour

Communications or actions indicating increasing desperation or distress, or that the person of concern perceives no alternatives to violence. [Citation 3]


Communications, expressions, or memorializations which do not directly threaten but otherwise reveal clues related to a person’s feelings, aspirations, intentions, or plans, about committing violence. [Citation 3]

Maladaptive Behaviour

Behaviour that interferes with the activities of daily life or that is inappropriate in a given setting. [Citation 17]

Malicious Insider Act

Malicious insiders (see below) usually use their intimate knowledge of company’s information resources along with their authorised access to the system to commit malicious, deliberate unauthorised acts that fall under one or a combination of categories like sabotage, fraud, espionage, violence or IP theft.

Malicious Insider

A malicious insider is a current or former employee, contractor, or business partner who has or had authorised access to an organisation’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organisation’s information or information systems.[Citation 15]


Malicious software such as trojans, keyloggers, ransomware, spyware etc. Malware is software designed to infiltrate,disrupt or damage a computer or computer network. [Citation 17]

Media Leak

A media leak is an Insider Risk (see CPIR – Critical Pathway to Insider Risk) that is the unsanctioned release of  confidential information to news media or other outlets or the release of false information or “fake news” designed to harm a person or organization. It can also be the premature publication of information by a news outlet that has agreed to delay release for a specified time.


Information of which inaccuracy is unintentional. Misinformation can spread when journalists misinterpret or fail to independently verify a source’s claims. This is especially likely to occur during an unfolding crisis. News organisations have a duty to keep people informed, especially when public safety may be at risk. However, they also compete for the public’s attention. This gives them an incentive to publish information quickly, to “scoop” competing news outlets. [Citation 3]

Motivational Reasoning

We are inclined/motivated to believe whatever confirms our own thoughts/opinion. After a while this phenomenon can lead to false social consensus. [Citation 7]


Excessive admiration of oneself and/or one’s own appearance, often combined with self-aggrandisement and an extreme craving for admiration. [Citation 17]

Narcissistic Personality Disorder

Personality disorder in which an individual’s inflated sense of self-importance, deep need for admiration, and lack of empathy for others often masks hypersensitivity to criticism. [Citation 17] For a more detailed description see [Citation 28].

Naive Realism

Our tendency to believe that our perception is truth and that what people, who disagree with us think, is not correct or that they are misinformed, irrational or biased. Instead of defining our different opinions we tend to put ‘the other’ in a bad light and consider them ‘inferior’. [Citation 1]

Novel Aggression

This is an act of violence which appears unrelated to any “pathway” behavior and which is committed for the first time. A person of concern may be engaging in this behavior in order to test his ability to actually engage in a violent act and it could be thought of as experimental aggression. [Citation 1]

Personal predispositions

The personal characteristics, relationships and experiences a subject brings to an organization that may place him or her at-risk. Personal predispositions are an element of the critical pathway to insider acts. [Citation 23]

Predatory/Planned Violence

Predatory/planned violence is premeditated and serves some purpose for those who plan and conduct violent attacks. The offender is not reacting to an imminent threat. [Citation 1]


‘Preparation’ is part of the critical pathway crime script. After deciding on a course of action and conducting the necessary background work, a potential offender may then begin to prepare for an actual attack. This step can overlap with research and planning. Behaviours associated with this can include acquiring weapons, assembling equipment, confirming transportation routes, rehearsing attack behaviors and more. [Citation 1]


Psycholinguistics or psychology of language is the study of the psychological and neurobiological factors that enable humans to acquire, use, comprehend and produce language. Psycholinguistic markers are used in (anonymous) digital communications to gain further identifying and threat information about a threat actor and possibly an insider. [Citation 22]

Recruited Insider

The insider is recruited by another party. Vulnerabilities are exploited by others, but there is often also the intent to enrich the recruited insider’s own life. The recruited insider can be aware of the recruitment, but can also be an inadvertent actor. [Citation 7]

Research and Planning

Part of the critical pathway model. This set of behaviors can include any thinking or information seeking needed to form and refine a plan for engaging in a malicious act. This step can overlap with preparation. Behaviours associated with this step could include internet searches; watching news, social media or entertainment programmes; conversing with like-minded others online; and more.  [Citation 1]

Risk Assessment

A calculation, based upon known variables, of a person’s risk for engaging in unlawful activities. Risk level is often based upon static factors rather than warning behaviours, and frequently requires in-person evaluations in a clinical setting. [Citation 1]


Sabotage is a type of Insider Risk (see CPIR – Critical Pathway to Insider Risk), defined as a deliberate act aimed at undermining or incapacitating an organization through obstruction, disruption or destruction.  Sabotage is illegal and often results in severe penalties.

Social Engineering

Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access. It differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme. [Citation 18]

Socially Engineered Attack

Strategy of attack inducing human error, often tricking or manipulating individuals into breaching normal security protocols. [Citation 17]


The general definition of a target is a person, object, or location that is the focus of an attack. In threat assessment and management casework it is a point of fixation for intended violence. This can include people, buildings, organisations, or more general concepts. [Citation 1]

Targeted Violence

An incident of violence where an assailant chooses a particular target prior to a violent attack [Citation 1].

Threat Management

Managing a person of concern’s behavior through interventions and strategies designed to disrupt or prevent an unlawful act. [Citation 1]

Threat Management Strategy

A coordinated plan of direct and/or indirect interventions with a person of concern which, based on current information regarding level of concern posed, is designed to reduce the likelihood of violence concern in a given situation at a particular point in time. [Citation 1]

Threat Management Team

A multidisciplinary team which coordinates with stakeholders and other third parties to identify, assess, and manage concerns for targeted violence or other malicious acts. [Citation 1]

Unintentional Insider

An unintentional insider threat is a current or former employee, contractor, or business partner who has or had authorized access to an organisation’s network, system, or data and who, through action or inaction without malicious intent, causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organisation’s information or information systems [Citation 16]

Violence Risk Assessment

A specific tool designed to facilitate evaluation of a person of concern’s probability of committing an act of violence based on personal and situational variables. These tools are utilized by individuals qualified through training, experience, or education to make risk determinations. [Citation 1]

Warning Behaviors.

Warning behaviours are acts which constitute evidence of increasing or accelerating risk. They can be acute, dynamic, and particularly toxic changes in patterns of behavior which may aid in structuring a professional’s judgment that an individual of concern now poses a threat – whether the actual target has been identified or not. [Citation 24]

Workforce Violence

Workplace Violence is a type of Insider Risk (see CPIR – Critical Pathway to Insider Risk), that can be defined as “the intentional use of physical force or power, threatened or actual, against oneself, another person, or against a group or community, that either results in or has a high likelihood of resulting in injury, death, or psychological harm.”  Such acts that are related to work-based personal or professional connections are considered workplace violence. For this purpose, personal or professional connections resulting from attending the same school or working in the same factory or office can constitute a workplace connection.  These relationships may be current or past.

Yellow News

Yellow journalism, or the yellow press, is a type of journalism that presents little or no legitimate well-researched news and instead uses eye-catching headlines to sell more newspapers.Techniques may include exaggerations of news events, scandal-mongering or sensationalism. By extension, the term yellow journalism is used today as a pejorative to decry any journalism that treats news in an unprofessional or unethical fashion such as Fake News.[Citation 5]


  1. Bunn, M., Sagan D., Scott. (2016). Insider Threats. American Academy of Arts and Sciences, Cambridge Massachusetts. Cornell University Press.
  2. (2013). Diagnostic and Statistical Manual of Mental Disorders. 5th ed. American Psychiatric Association.
  3. National Counterintelligence and Security Center. National Insider Threat Task Force Mission Fact Sheet. Department of Justice and Federal Bureau of Investigation.
  4. (2017). Fake News. Wikipedia.
  5. (2017). Yellow News Wikipedia.
  6. Heuer, R., (1999). The Psychology of Intelligence Analysis. Center for the Study of Intelligence. Central Intelligence Agency.
  7. Signpost Six Database (2017).
  8. (2017). Bias Blind Spot. Wikipedia.
  9. (2017). Third-Person Effect. Wikipedia.
  10. (2017). Authority Bias. Wikipedia.
  11. (2017). Declinism. Wikipedia.
  12. (2017). Bandwagon Effect. Wikipedia.
  13. (2017). Availability Cascade. Wikipedia.
  14. (2017). Hostile Media Effect. Wikipedia.
  15. (2017). Glossary of Security Terms. SANS.
  16. Costa, D. (2017). CERT definition of Insider Threat. Insider Threat Blog.
  17. Aiken, M. (2016). The Cyber Effect: A Pioneering Cyber Psychologist Explains How Human Behaviour Changes Online. John Murray Publishers
  18. (2017). Social Engineering. Wikipedia.
  19. (2017). Anchoring. Wikipedia.
  20. (2017). Cognitive Dissonance. Wikipedia.
  21. Munshi, A., Dell, P., Armstrong, H. (2012). Insider Threat Behavior Factors: A Comparison of Theory with Reported Incidents.  In: 45th Hawaii International Conference on System Sciences. IEEE Computer Society.
  22. Pronko, N. H. (1946). Language and psycholinguistics: a review. Psychological Bulletin, 43, May, 189-239.
  23. Shaw, E. and Seller, L. (2015). Application of the Critical Path-Method to Evaluate Insider Risk. Studies in Intelligence. Vol. 59 (2), pp 1-8.
  24. Meloy, R., Hofmann, J. (2011). The Role of Warning Behaviors in Threat Assessment: An Exploration and Suggested Typology. Behavioral Sciences and the Law. Wiley Online Library.  
  25. CERT. (2015). Handling Threats from Disgruntled Employees. Insider Threat Blog.
  26. Festinger, L. (1957). A Theory of Cognitive Dissonance  California: Stanford University Press. / Festinger, L. (1962). Cognitive dissonance  Scientific American. 207 (4): 93–107.